Prioritising trust before technology

THE utilisation of mobile phone data (MPD), like any other well-intentioned initiatives, is still open to many risks.

In this regard, the concerns over privacy, surveillance and consent are valid, especially in a country that has experienced high-profile data leaks.

Yet, these concerns are overshadowing the immense potential of MPD when handled ethically, transparently, and within the boundaries of the law, according to Datuk Dr Husin Jazri, an associate professor at the School of Computer Science, Faculty of Innovation and Technology at Taylor’s University.

MPD refers to information generated when a mobile phone interacts with a network provider’s infrastructure, from signal strength and transmission duration to general location patterns.

“When properly anonymised, with personal identifiers removed and aggregated into larger datasets, MPD cannot be traced to specific individuals.

“It does not reveal the content of calls, messages, or browsing history.

“In this form, it becomes a powerful tool for the public good,” said the academician, who is also director of the university’s Global Centre for Cyber Safety.

He added that globally, responsibly managed MPD had supported data-driven governance.

Citing a prime example, he said during the Covid-19 pandemic, aggregated mobility data was widely used to understand population movements and inform public health responses.

“In several countries, similar data has been applied to support tourism management, manage seasonal travel patterns, and reduce congestion.

“In Malaysia, MPD can help identify underserved communities, optimise transport routes, guide emergency response, and enhance tourism strategies – but only if public trust is secured,” he stressed.

Privacy ensured

In June last year, the Malaysian Communications and Multimedia Commission (MCMC) gave strong assurance that no personally identifiable information (PII) would be accessed, processed or disclosed in relation to its directive of requiring telecommunications companies (telcos) to provide data on all mobile phone calls made from January to March.

Its statement came as a clarification amid the media reports highlighting the matter.

MCMC had pointed out that MPD was used strictly for the generation of official statistics to support evidence-based policymaking in two key domains, namely the information-communication technology (ICT) and the tourism sectors.

“For the ICT sector, MPD helps produce granular statistics, such as the number of active mobile broadband subscriptions and penetration rates at the state, district, ‘mukim’ (district’s administrative sub-division), parliamentary constituency, DUN (State Legislative Assembly area), and local authority levels.

“For the tourism sector, it generates indicators such as the number of visitors and domestic tourism trips.

“The MPD data requested from the mobile network operators (MNOs) is anonymised and contains no PII.

“In addition, the MNOs are given the option of processing the MPD within their own secure environment and submitting the required anonymised and aggregated output to MCMC, or for MNOs without in-house processing capabilities, of submitting the anonymised data to MCMC for processing.

“In both cases, no individual subscriber can be identified through the data collected,” MCMC gave its assurance.

MCMC further clarified that the use of MPD as a new source of national statistics was a strategic direction set by the government to strengthen the quality and timeliness of statistical outputs for policy and planning purposes.

“Implementation of MPD is through collaboration with the International Telecommunication Union (ITU) and the United Nations Committee of Experts on Big Data and Data Science,” it added.

In the June 2025 statement, MCMC also said over the past couple of years, extensive engagements with all MNOs had been carried out to ensure mutual understanding of the data requirements, processes, and privacy safeguards

‘Transparency must be key principle’

According to Husin, the central concern for the public is not whether MPD works, but how it will be used.

“Without a clearly-stated purpose and open communication, even well-intentioned initiatives can invite suspicion.

“Transparency must, therefore, be the first principle of MPD governance.

“Those collecting or processing data should clearly articulate the purpose, scope, and safeguards before any collection begins.

“If the objective is to reduce traffic congestion, improve rural connectivity, or strengthen tourism planning, this should be communicated openly, supported by impact reporting and visible accountability.

“Such openness strengthens public confidence and reinforces compliance with the Personal Data Protection Act (PDPA),” he elaborated.

Husin said consent, in this context, did not mean individual approval for each anonymised dataset.

Instead, he pointed out that this would be embedded within the contractual relationship between the public and their service providers.

“The telcos, bound by the PDPA, have a responsibility to safeguard subscriber’s data.

“Where the third parties require access, they should receive only aggregated and anonymised datasets processed by the telcos themselves, ensuring that no personally identifiable information leaves the organisation,” he added.

Preventing misuse

Even anonymised data could be misused if handled carelessly.

‘Inference’, where anonymised datasets are cross-referenced with other sources such as closed-circuit television (CCTV) footage, could lead to re-identification, said Husin.

“This is why anonymisation must be paired with aggregation.

“Together, these safeguards should be able to reduce risks and protect against abuse.”

Husin pointed out that those handling MPD should position themselves as ‘guardians of privacy’, setting strict standards for anonymisation and aggregation before any data exchange could take place.

This, he said, could ensure that the systems would be designed to protect citizens, not threaten them.

“International best practices increasingly emphasise privacy-by-design, independent oversight, and transparency in data governance.

“Countries that have embedded these principles into their legal and institutional frameworks have been more successful in building public trust and enabling the responsible use of data for public benefit,” added the professor.

Balancing civic benefits, privacy

Nonetheless, Husin acknowledged that some quarters had argued that anonymised, aggregated MPD did not require consent because it could not be linked to an individual.

In this respect, while this might be legally defensible, he stressed that public trust was not built on legal interpretations alone.

“If people feel excluded from decision-making or perceive selective enforcement of rules, confidence erodes,” he said.

According to Husin, in Malaysia, the perception that PDPA obligations apply more strictly to private companies than other entities undermines trust.

“For public acceptance, all parties – public or private – must be held to the same standards of transparency, accountability, and fairness.

“Policies introduced for the public good should apply uniformly, without exception.

“To further strengthen trust, oversight should be managed by an independent data privacy commission instead.

“Such a body would ensure equal enforcement without fear of bias, political influence, or selective application of rules, while signalling Malaysia’s commitment to impartial governance and the highest level of data protection,” he said.

A path forward

Strong safeguards must be non-negotiable, stressed the academician, who has over 30 years of global experience in cybersecurity and data governance.

“Anonymisation should be irreversible,” he said.

“Data storage and deletion protocols must be enforced.

“Independent audits should verify compliance.

“These are not merely technical measures – they are ethical commitments to use data only for its intended purpose, protect it from misuse, and dispose of it responsibly.”

In reinforcing his points, Husin said to unlock MPD’s full potential, Malaysia must publicly declare the purpose of data collection; ensure that telcos would handle anonymisation and aggregation; apply equal legal and ethical standards to all parties; implement independent oversight for compliance.

“Handled with strong safeguards and transparency, MPD can drive smarter investments, improve public services, and strengthen long-term economic resilience while protecting privacy.

“Malaysia’s strategic location, cultural diversity, and digital ambitions offer an opportunity to lead the region in ethical ‘Big Data’ use.

“By applying fairness, openness, and consistent governance, MPD can shift from a source of concern to a valuable national asset, supporting better infrastructure, stronger tourism, and shared prosperity,” he added.

Husin is the founder of CyberSecurity Malaysia; co-founder and the first co-chair of Asia Pacific Computer Emergency Response Team (CERT); and founder and the first chair of Organisation of The Islamic Cooperation (OIC)-CERT.

The PhD in Computer Science (Cybersecurity) holder has led major national and international cyber defence initiatives, and his career across military, government, academia, and industry has positioned him as a leading voice at the intersection of technology, ethics, and public trust.

Husin is also a recipient of the Harold Tipton Lifetime Achievement Award by ISC2 – the world’s leading member association for cybersecurity professionals – which is a prestigious recognition accorded to members for their lifelong contributions to the advancement of information security and the profession by serving, over the long term, with sustained excellence and distinction throughout their entire cybersecurity career.